31 March 2008

Organizations implement Operational Risk solutions to lower "volatility" in earnings growth and return on capital. The focus on volatility is because no institution likes to see peaks and valleys in their earnings or their return on capital. A steady and consistent growth curve without "Volatility" is the goal by many steadfast organizations.

Contrary to the goal of minimized "volatility" there are also those who feed off of the chaos and the large swings between these highs and lows in the marketplace and with specific companies in vital sectors of the financial economy. Will a Blueprint for Regulatory Reform be the answer?

As a hedge fund investor, can you explain what the strategy is for your investment fund? Do you know what your money is being invested in? Does your hedge fund manager provide transparency on calculating your return on funds invested? What was the reason you invested in alternative investments to begin with?

Carrying this analogy to the operational processes within your organization, the goal is to keep the processes running smoothly. When people or systems deviate from the agreed upon "Rule Sets" then change ensues along with the volatility of the performance measures. Errors, Omissions and systemic "glitches" are the catalysts to volatility that creates fear, uncertainty and doubt. Do you understand the Math? When the process gets to this stage and people don't trust the rules anymore, you are on the brink of a failure and impending loss, in dollars or peoples lives.

Operational Risk Management is a discipline that is emerging in corporate ranks because it has already proven that it saves lives. The regulators and inspector generals are going to demand it. The "Rule Sets" of playing business in the financial, health care and energy sectors are not the only ones being subjected to this increased scrutiny and renewed focus on OPS Risk. Now the Defense Industrial Base (DIB) and the Defense Department are under increased oversight at the highest echelons of the Pentagon as a result of a failure in Operational Risk Management.

Last week, the Department of Defense learned that four non- nuclear nose cone assemblies and their associated electrical components for a ballistic missile where mistakenly shipped to Taiwan in the fall of 2006. These items were originally shipped in March 2005 from F.E. Warren Air Force Base in Wyoming to the Defense Logistics Agency warehouse at Hill Air Force Base in Utah. There are no nuclear or fissile materials associated with these items.

Upon learning of the error, the U.S. government took immediate action to acquire positive control of the components and arranged for their safe and secure recovery to the United States. These items have now been safely returned to the United States.

Lessons learned are being discussed in the ranks of the U.S. Treasury Department and the Department of Defense all relating to the failure of people, processes, systems and or external events. Operational Risk is all around us and now ready for prime time focus in terms of strategy execution, implementation and measurement.

Whether you utilize Operational Risk Management (ORM) in the Defense Industrial Base or in the Financial Services sector it's important to revisit what it is NOT:

Operational Risk is Not:

About avoiding risk

A safety only program

Limited to complex-high risk evolutions

A program -- but a process

Only for on-duty

Just for your boss

Just a planning tool

Automatic

Static

Difficult

Someone else’s job

A well kept secret

A fail-safe process

A bunch of checklists

Just a bullet in a briefing guide

“TQL”

Going away

The goal of Risk Management is not to eliminate risk, but to manage risk so the mission can be accomplished with minimum impact. We manage risk to operate, not avoid risk as a means to prevent loss.

27 March 2008

The risk of offshoring is a growing concern. If this study by Deloitte is correct, your valuable and private financial information is likely to be off shore already.

Deloitte estimates that $356 billion, or 15 percent, of the financial service industry's current cost base is expected to move offshore within the next five years. Further, the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis. Competitive pressures are the primary motivator for financial institutions to move higher-risk functions offshore.

The banking industry has a list of Offshoring Risks that is in need of greater care and oversight.

Domestic outsourcing and offshoring share most risk characteristics. However, the more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing. Offshoring also introduces an element of country risk to the outsourcing process. In particular, geographic distance from the function and timing lags in reporting heighten the potential risk exposures. Significant offshoring risk areas include:

Country Risk: political, socio-economic, or other factors may amplify any of the traditional outsourcing risks, including those listed below.

Compliance Risk: offshore vendors may not have adequate privacy regulations.

Strategic Risk: different country laws may not protect "trade secrets."

Credit Risk: a vendor may not be able to fulfill its contract due to financial losses.

It is currently standard FFIEC examination procedure for examiners to review outsourcing arrangements during examinations. Part of a standardized procedure should include:

Identifying and reviewing contracts between financial institutions and data service providers that allow for subcontracting or subsequent outsourcing to occur;

Determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract;

Determining if the financial institution is aware of the subsequent outsourcing and the location of the outsourcing; and

Determining if the financial institution has procedures for monitoring all outsourcing arrangements to ensure adequate controls are in place or the service provider has proper procedures and controls to monitor their outsourcing arrangements.

We recommend that your CSO, CCO and General counsel revisit your last audit on high risk outsourced relationships such as customer data-base type work, including mortgage servicing and customer-assistance/help-desk services.

18 March 2008

The Bear Stearns implosion has been predicted as a casualty of failed hedge funds. These entities are less regulated than banks and don't have to keep a minimum capital reserve. The limits on the amount of leverage they utilize can sometimes come back to burn you.

At least one federal lawsuit in New York seeking class- action status for alleged securities fraud was filed on Monday by an investor contending the company hid its true financial condition from shareholders.

"Who Knew What When" is the focus of the legal mechanism now in full swing as investigators at the SEC and other federal regulators begin their forensic examinations and interviews. Eliot Spitzer is finally a back story after his demise in the FINCEN money laundering investigation:

But what really snared Spitzer was a money laundering investigation that was flagged by suspicious activity reports (SARs) that banks have to file with the Treasury to surface everything from money laundering to terrorist activity. This network has been around for a while, but its importance escalated following the Sept. 11, 2001 terrorist attacks. According to the FBI’s charges the prostitution ring that counted Spitzer as a customer was investigated due to some shady bank accounts, checks and wire transfers with big totals ($39,000, $400,000 and others).

The nexus of eDiscovery, Data Mining and Operational Risk Management are in the news as these incidents are unraveled. The information and evidence from the data analysis will reveal the truth and those caught shredding documents or deleting files will no doubt become part of one of these inquiries.

Even today at 2AM JP Morgan Chase was searching Google with the terms "information operations risk management" and landed here on this Operational Risk Management Blog. Then they "Out Clicked" to A Defensible Standard of Care in hopes of finding answers to their questions.

The law suits and the lawyers are busy these days with the Federal Rules of Civil Procedure (FRCP) as they defend ongoing data breaches and bad behavior by employees and interested 3rd parties:

A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

If the latest economic studies are correct, that's going to cost about $98.00 per record on the low side when it comes to the amount of money that these organizations will spend (unless insured) to clean up this operational risk related incident.

New York State has a new Governor at the same time the Bears are descending on Wall Street:

David A. Paterson became New York’s 55th Governor on March 17, 2008. In his first address as Governor, Paterson spoke about the challenges New York faces and his plan for New York’s future.

This month it's New York in the news but our prediction is that California will soon be next to capture the nations headlines. The legal buzzards are soaring overhead...

06 March 2008

The nature of transnational crime today can be broken down into three fundamental steps. Collection, Monetization and Laundering. This is not anything new yet the evolution of "Policing The Globe" has made dramatic leaps in the past few years. New Legal Attaches (Legats), Memorandums of Understanding with INTERPOL and other national law enforcement entities has created an increased coordination and cooperation across borders and continents.

Data warehousing, convergence of records data and more sophisticated methods for link analysis from companies such as i2 has made the detection and investigation of potential incidents more effective.

When the Collection phase is focused on harvesting Personal Identifiable Information (PII) for the purpose of ID Theft using Botnets or other cyber-related ploys the consumer will consistently suffer the direct effects. The retail banking institutions will be the ultimate target of the next phase of the criminal life cycle, the Monetization phase.

Using PII to gain access to bank accounts is taking on different forms these days, especially during times of economic hardship. The HELOC refinancing trends are upon us and at the same time the unsuspecting homeowner may be giving up vital equity that still exists in their loans or lines of credit, to criminal elements. Once any of these scams and frauds are completed the funds are quickly turned into cash using wire transfers, ACH and or even the old reliable ATM using 3rd parties. And it doesn't even have to go this far, when you can sell PII for cents or dollars per record in terms of it's quality and whether the targets have a stellar credit score or deep equity.

And finally we find that funds are then turned around into other business ventures to help conceal the source or origin of the proceeds, so that the money goes through the enevitable Laundering phase.

Now let's look at it through the lens of an OPS Risk perspective?

"Pirates, bandits, and smugglers have bedeviled governments since time immemorial. Politicians and media today obsess over terrorism and trafficking in drugs, arms, people and money. Far less is said or known, however, about the expanding global reach of the police, prosecutors, and agencies like Interpol and Europol charged with targeting transnational crime."

Peter Andreas and Ethan Nadelmann in their book, "Policing The Globe: Criminalization and Crime Control in International Relations" provide analysis and bridge the connections between justice and politics.

To what degree does your institution actually initiate proactive due diligence on your own, to try and identify who is attacking your organization or your assets? The nexus with Operational Risk has to do with the legal compliance and transnational agreements with other nations on what the "Rules of the Game" are for privacy, investigations and obtaining evidence. More importantly what are the coordination and cooperation activities with your own domestic and the foreign jurisdictions for a prosecution strategy, especially if you have employees and operations in-country?

This morning an explosive device was detonated in front of a defense recruiting office in Times Square, New York City by a bicyclist. This incident could be a precursor to a potential terrorist suicide attack or most likely, just a disgruntled war activist. A few days earlier, domestic Ecoterrorism is suspected in the burning of three high value homes in the Seattle, Washington area.

Whether the ID theft crimes are committed online collecting zeros and ones from unsuspecting consumers or businesses without the proper controls in place or the direct physical attack on specific or symbolic assets, the transnational question is in the forefront of many peoples minds.

While it's too early to try and connect these two incidents to the same individuals or to countries outside the United States, one thing is certain. The laws, tools and capabilities of International Law Enforcement are accelerating at a more rapid pace, as new operational risks emerge on a global scale. Politics will in some cases, try to influence the agenda and to unleash sanctions that diplomats and State Departments will work on collaboratively to achieve preemptive law enforcement agendas.

Here then are some of the steps the State Department said Barbados had taken in recent years to prevent fraud and money laundering:

Extended the money laundering laws to cover offenses other than those involving drugs.

Forced financial institutions to report suspicious transactions that may involve criminal activities, such as terrorism.

Placed the burden of proof on accused persons to demonstrate that property in their possession was "derived from a legitimate source". Failure to do so could lead to a presumption that it was acquired through illegal means.

The transnational ecosystem of crime control and international relations will continue to be a challenging arena for global enterprises. Ensuring that Operational Risk Teams are well equipped to provide assistance to investigators, law enforcement and government agencies is essential. Simultaneously preparing your employees for their inevitable exposure to these cases, law suits and incidents is a proactive strategy executives are actively investing in.

Liechtenstein remains vulnerable to money-laundering despite efforts by authorities to tighten regulations, International Monetary Fund and Council of Europe experts said Wednesday.

The tiny Alpine principality, currently at the heart of an international tax evasion scandal, offers "discreet and flexible legal structures, strict bank secrecy and favourable tax arrangements," the IMF said in a report.

Around 90 percent of Liechtenstein's financial services business is provided to non-residents, it noted.

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke